Due to the comprehensive use of electronic data processing systems for financial transactions, systems for identifying and/or authenticating persons prior to the implementation of commercial transactions are becoming more and more important. The identification of a person, which is usually necessary at the beginning of the process, serves the purpose of determining the identity of the person in question. Authentication is generally defined as a control process which takes place after identification and with which it can be ascertained whether the information given by the person in the course of identification is correct; it thus serves the purpose of verifying the identity of the person.
At present, two “token”-based methods are customary in financial transactions. In this context, tokens are defined as key objects used in the identification/authentication process, i.e. primarily the conventional magnetic-strip or chip cards. When customers are prepared to pay, they identify themselves with their bank card or credit card on which the customer's signature is shown, and in which a usually four-digit personal identification number (PIN) is stored that is known only to the customer.
With the first customary method, customers must provide a signature with the salesperson in attendance, and authentication is made visually by comparing the customer's signature with the signature shown on the card. This method is often proving to be unsatisfactory due to its imminent flaws caused by the fact that with the variety of writing utensils and on different writing surfaces, signatures can vary and are often quite easy to forge. Furthermore, the sales staff is often negligent in checking the signatures.
In addition, it may happens, for example in restaurants, that fraudulent personnel can, in a short time span and unnoticed, use a customer's credit card to create an illegal copy on which a transaction unauthorized by the customer is later written.
With the second customary method, customers authenticate themselves by inserting their PIN unseen by others in a card reader installed by the goods or service provider, which is connected via a communication network with the financial institution carrying out the desired transaction, and which authorizes this transaction when the PIN entered by the customer is identical to the PIN stored in the card.
However, the principle of personal identification numbers has several disadvantages, some of which will be explained briefly below.
A person's PIN, which is not context-related but chosen purely at random, is usually written down by the customer in a presumably secure place, such as a note pad or an appointment calendar, since otherwise the customer may forget the PIN as time goes on. However, writing down the personal identification number is risky, because there is, of course, always the danger of losing the note pad or appointment calendar. As a result, the personal identification number is irretrievably lost, and the owner must apply for a new bank card or credit card with a new personal identification number, which is usually connected with an inordinate amount of administrative work, is time-consuming and often also expensive.
Furthermore, there is a risk of card abuse when a third party comes into possession of a PIN or password. This can happen when a person is surreptitiously watching the owner as he enters the PIN, or when documents such as notebooks or appointment calendars (in which such personal identification numbers are usually written) are stolen together with the bank card or credit card, or if the unauthorized person loses them, and another person finds them and makes unauthorized use of them.
Unreasonably, consumers often write their PIN directly on the bank card or credit card, so that thieves, when they steal the card, automatically are in possession of the PIN which allows them to make a false authentication. Neither can it be ruled out that a card thief uses electronic means to obtain knowledge of the PIN stored in a card.
In a newer class of authentication methods are so-called biometric methods that utilize electronic evaluation of physiological characteristics such as fingerprints, iris patterns of the eye, or individual voice characteristics (the so-called voice prints). These have the advantage that customers do not have to carry any cards or other tokens of any kind.
WO 98/09227 discloses a method and a system for authorizing commercial transactions between a customer and a vendor without the use of an authentication token, whereby the buyer signals his acceptance of the vendor's offer to implement the transaction by entering his personal authentication information, consisting of a PIN and one or more biometric samples, which are then transmitted to a computer system which compares the received authentication information of the buyer with biometric samples acquired in a registration process. If the computer system successfully identifies the buyer, the buyer's account is debited by an amount that is credited to the vendor's account, and the result of the transaction is transmitted to the vendor as well as to the buyer.
As possible biometric samples to be used, the above patent names a fingerprint of the buyer, an image of the buyer's iris, and the buyer's voice print. As an antidote against theft of the biometric information (in case of a voice print, it might be possible, for example, to secretly record the buyer's voice), WO 98/09227 proposes that the buyer change his PIN that is assigned to the biometric information in the computer's memory. This means that after a theft of the biometric information has occurred, the PIN assumes the task not only of identifying the buyer, but also indirectly of the authentication. With a finite number of digits for the PIN, it would therefore be possible with no more than 10n tries, using the stolen biometric information, to accomplish a wrong authentication and thus a fraudulent transaction.
In general, it should be considered that computer systems communicating via a public communication system are always subject to the risk of manipulation by unauthorized third parties entering the system. If an attempt is made to obtain unauthorized access to a computer system via a publicly accessible network, the manipulator often proceeds by continuously repeated automated dialing (called spamming) of the attacked system. Even if the manipulator were unsuccessful in entering the attacked system, such continuous dialing does interfere with the attacked system's communication and can even lead to the breakdown of its regular communication functions, i.e. the processing of authorized transactions could be interrupted.
To prevent manipulation, it is also desirable that the electronic communication means installed by the vendor is subject to authentication by the computer system undertaking the transaction.
It is an object of the present invention to create a method and a system for authorizing commercial transactions between a buyer and a vendor which provides greater protection against the use by a third party of illegally obtained biometric samples of a person registered as a buyer, as well as against electronic attacks by means of automated continuous dialing (spamming), the method and system furthermore able to ensure the safe identification and authentication of the vendor's connection without the use of a PIN (which has the above described disadvantages), and which can be implemented with a manageable degree of technical complexity.